Time stamping system

ABSTRACT

A secure time stamping device uses multiple virtual clocks, each of which may be individually accessed and calibrated. A digital key is associated with each of the clocks. All of the virtual clocks use a common timer ( 130 ), with the actual clock output being generated by applying calibration information ( 124 ) for that clock to the timer ( 130 ) output. A user wishing to have a message time stamped presents that message along with information as to which virtual clock to be used at a device input ( 92 ). The appropriate calibration information ( 124 ) is then selected and the timer ( 130 ) output is compensated accordingly. The incoming message plus the resultant time are concatenated and automatically signed using the key ( 126 ) applicable to that particular virtual clock.

The invention relates to a device and method for providing digital timestamps on documents or other digital data. Such devices may be used toprovide what are sometimes called “Digital Notary Services”.

Devices which can issue digital time stamps on documents or otherdigital data, by means of a digital signature, are useful in manyapplications. Typically, such devices include an internal time sourcewhich can be trusted to be accurate and which cannot be corrupted byoutside means. The output from the time source is combined in some waywith the document or other digital data to be time stamped, and thecombination is then cryptographically signed. Known devices of this typeare described in U.S. Pat. No. 5,001,752 and U.S. Pat. No. 5,136,647.

A generalised view of a known time stamping device is shown in FIG. 1.In normal operation, the device 20 accepts a time stamp request from aclient. On receipt of the request, it obtains a time value from a timesource or clock 40, and combines it with the data in the request bymeans of a digital signature, produced by a signature generator 50. Thesignature generator makes use of a signature key, which is itself keptsecret within the device 20 in a key store 80.

The output 55 of the device thus comprises a time stamped and digitallysigned copy of the original time stamp request 22.

Setting the clock 40 is the responsibility of an external Time Authority10. When the Time Authority wishes to reset the clock, it transmits aclock setting request 15 which is received by a clock access control 30.The clock access control checks the credentials presented by the TimeAuthority and, if the credentials are acceptable, permits the clock 40to be reset.

Management of the key is the responsibility of an external Key Authority60. A key access control 70 receives key management signals 65 from theKey Authority and, provided access is granted, updates the key store 80accordingly.

One of the problems with this type of device is that the Key Authoritymust implicitly trust the Time Authority to set the time correctly.Often, the Key Authority and the Time Authority are differentorganisations: for instance, the Key Authority may run arevenue-generating service using machines owned and maintained by theTime Authority. The latter then has to assure the former that itsmaintenance procedures are fully trustworthy.

It is also quite common for the Time Authority to sub-contract to athird party such as an ASP (Application Service Provider) the operationof the computers on which the service actually runs. In order to resetits own clock, the Time Authority logs in remotely to the computer beingoperated on its behalf within the ASP.

One individual ASP may, however, wish to provide facilities for morethan one Time Authority. This is expensive, as it requires that the ASPprovides individual secure computers for each Time Authority that itwishes to service. The hardware required by each Time Authority isessentially identical, but it has to be replicated for security reasons.

A similar problem arises where the ASP wishes to act for a number ofdifferent Key Authorities, each of which requires to act as its own TimeAuthority (in other words need to have control over the time used intime stamps which are issued on its behalf). Once again, the onlyrealistic solution is replication of the hardware.

It is an object of the present invention at least to alleviate theseproblems of the prior art.

It is a further object of the invention to provide a time stampingdevice and method which can be used by multiple time authorities, keyauthorities and users, at little additional cost.

According to a first aspect of the present invention is there isprovided a time-stamping device for digitally time-stamping input data,comprising:

-   -   (a) a timer (130) having a timer output;    -   (b) memory means (120) for storing a plurality of sets of timer        calibration information (124), each defining characteristics of        a respective virtual clock;    -   (c) compensation means (140) for adjusting the timer output in        accordance with a user-selected virtual clock, to generate a        selected virtual clock output; and    -   (d) signature means (150) for generating a time-stamped output        (94) in dependence upon the selected virtual clock output and        the input data.

According to a second aspect, there is provided a method of digitallytime-stamping input data, comprising:

-   -   (a) selecting one set of timer calibration information (124)        from a plurality of such sets, each set defining the        characteristics of a respective virtual clock;    -   (b) adjusting a timer output in accordance with the selected set        to generate a selected virtual clock output; and    -   (c) signing data representative of both the selected virtual        clock output and the input data to generate a time-stamped        output (94).

With such an approach, we can provide different time sources from thesame timer, simply by changing the calibration data. The timer is anexpensive piece of circuitry, whereas multiple calibration data sets canbe stored in a very inexpensive memory device. We can therefore providefor multiple independently-controllable time sources at little extracost.

The compensation means preferably adjusts the timer output in accordancewith a compensation algorithm. This could be user defined (for each ofthe virtual clocks), but more typically will simply adjust the offsetand drift of the timer output in comparison with anexternally-maintained reference clock held for example by a TimeAuthority. Thus, in a simple embodiment, the timer calibrationinformation for each of the virtual clocks may simply consist of twonumbers: the offset and the drift rate.

The signature means generates the time-stamped output in dependence uponboth the selected virtual clock output and the input data. This couldconveniently be done simply by concatenating the selected virtual clockoutput and the input data, and by signing the resultant concatenatedstring. Alternatively, other approaches to combining the data prior tosignature could easily be envisaged.

Preferably, each signature key may comprise the private part of apublic/private key pair within a public key cryptosystem such as forexample RSA or DSA.

Access check/control means may be provided to check the credentials ofany user wishing to have data time stamped using a particular virtualclock. Likewise, access check/control means may be provided allowing aTime Authority to change the calibration information for a particularvirtual clock, and for a Key Authority to carry out key managementtasks. It will be understood, of course, that (where provided) the timestamp access control means, the key access control means and the virtualclock access control means are not necessarily physically separateentities: they may if convenient be embodied within the same hardwareand/or within the same software routines.

According to a further aspect of the present invention there is provideda time-stamping device for digitally time-stamping input data,comprising:

-   -   (a) a plurality of user-selectable clocks, each having a        signature key (120) associated with it; and    -   (b) signature means (150) for generating a time-stamped output        (94) in dependence upon an output of a user-selected clock and        the input data.

According to yet a further aspect, there is provided a method ofdigitally time-stamping input data, comprising:

-   -   (a) selecting one of a plurality of user-selectable clocks, each        having a signature key (120) associated with it; and    -   (b) generating a time-stamped output (94) by signing data        representative of an output of the selected clock and the input        data.

The invention may be carried into practice in a number of ways and onespecific embodiment will now be described, by way of example, withreference to the accompanying drawings in which:

FIG. 1 is a schematic generalised view of a prior art time stampingdevice;

FIG. 2 is a time stamping device according to an embodiment of thepresent invention; and

FIG. 3 illustrates the way in which the time stamping device of FIG. 2may be used to time stamp an executed document.

The invention proceeds from the recognition that we can construct acontrollable clock by taking a free running timer and observing whetherit runs fast or slow compared with a reference time source. Bydetermining the offset and drift in comparison with the reference timesource we can construct a set of calibration data which we can apply tothe output of the timer to convert the timer output to the “correct”time (that is, the time as defined by the reference time source).

While the concept of compensated clock output is, in itself, known, thepresent applicant has taken the concept further by allowing for thepossibility of producing different controllable time sources from thesame free-running timer, simply by changing the calibration data. Thisprovides us with a way of creating multiple controllable virtual clocks,all of which use a common physical timer.

FIG. 2 illustrates the preferred time stamping device of the presentinvention. This provides for multiple virtual clocks, using the samephysical timer, each of which has its own access control, calibrationinformation and digital signature key.

The time stamping device shown in FIG. 2 preferably takes the form of adiscrete hardware module having a security boundary illustrated by thedotted line 90. Information stored within this boundary may be extractedand/or modified only by users presenting suitable credentials. Thus, tothe user, the device effectively appears to be a black box having asingle input 92 and a single output 94. Alternatively, for lessdemanding applications, the device need not be in a separate securitymodule but could be integrated into a general purpose computer system.Some or all of the elements shown may be implemented in hardware oralternatively in software.

As previously mentioned, the device includes a plurality of virtualclocks, the characteristics of each clock being defined by informationstored in a memory 120, namely access control information 122,calibration information 124 and key information 126. The key informationpreferably comprises a public/private key pair. All of the virtualclocks make use of a common timer 130, which may either be a freerunning timer or, alternatively, may itself receive its time from atrusted external source 134 via a radio aerial 132 or some other meansof communication (not shown).

A user wishing to have a document or other data time stamped presentsthe data along with appropriate access credentials at the device input92. This information is first passed to an identification section 100which uses identifier information within the credentials to look up fromwithin the memory 120 the information relating to the appropriatevirtual clock that is to be used. The access control information 122 forthis clock is passed to an access check section 110, which checkswhether the credentials supplied in the request are correct.

Assuming that the access check passes, a time value is then read fromthe timer 130 and is then corrected by a compensation section 140 usingthe appropriate calibration information 124 for that particular virtualclock. The calibrated time is then passed on to a signature section 150,where it is combined with the original data supplied at the input 92,and signed with the corresponding appropriate key 126.

The time stamped and signed data is then passed to the output 94.

Requests to calibrate a particular virtual clock (for example on behalfof a particular Time Authority) are also supplied to the device at theinput 92, along with appropriate credentials authorising the device toallow the re-calibration. It will be understood of course that thesecredentials will typically be different from those required for simpletime stamp requests. Provided that the credentials are passed by theaccess check section 110, the calibration information 124 for thatparticular virtual clock may be updated. Typically, the Time Authoritymay simply supply a “reference” time in its request, and that is simplycompared with a time value read from the timer 130 to compute a new setof calibration data.

The device additionally responds to requests made at the input 92, withappropriate credentials, to perform key management operations, such assetting the key, generating a new key, requesting the public half of thesigning key and so on. These functions may typically be required by anexternal Key Authority.

The access control information 122, for any given virtual clock, maydefine how and to what extent requests to change the calibrationinformation 124 and/or the key information 126 may be permitted.

Modification of the access control information 122 itself may bepermitted on the presentation of different high-level access credentialsat the input 92.

FIG. 3 illustrates the way in which the time stamping device of FIG. 2may be used in practice to time stamp a contract signed by two parties Aand B.

A contract 200 is sent separately to the two contracting parties A 202and B 204 for signature. The individually signed contracts, along withthe original contract are supplied to a hash function 206 whichconcatenates the inputs and creates a “message digest” 208. This isessentially uniquely representative of both the original contract andthe fact that both parties A and B have signed.

The message digest 208 now needs to be presented to the time stampingdevice, and to that end a requester 210 of the time stamp generates amessage identifier (header) 212 containing relevant information such asan explanation of what the document was that has been signed, who thesignatories are, a statement that the time stamp will be applied usingGMT and so on. In addition, the requester generates the necessarycredentials and identifying information 214 which will be used by thedevice 90 to authorise the request and to ensure that the correctvirtual clock is used.

At 216, the credentials 214, header 212 and message digest 208 areconcatenated and are supplied to the input 92.

Within the device, the credential and control information 214 isstripped away (as illustrated schematically by the wavy lines 220),leaving just the header 212 and the message digest 208 to be presentedas one input to the signature section 150. The other input is a timemessage 211, as supplied by the compensation section 140. These twoinputs are concatenated and digitally signed as previously describedusing the appropriate private key for that particular virtual clock. Thetime stamped and signed output message 230 is then set to the deviceoutput 94.

It will be understood of course that any type of digital document ordata may be electronically signed and time stamped.

1. A time-stamping device for digitally time-stamping input data,comprising: (a) a free-running timer having a timer output; (b) a memorymeans for storing a plurality of sets of timer calibration information,each defining characteristics of a respective virtual clock; (c) meansfor calibrating each virtual clock by updating the respective timercalibration data set in the memory means; (d) compensation means forreceiving the timer output and, for a given user-selected virtual clock,applying the respective timer calibration data set thereto to adjustsaid output and to generate a corresponding selected virtual clockoutput; and (e) signature means for generating a time-stamped output independence upon the selected virtual clock output and the input data. 2.The time-stamping device as claimed in claim 1 in which each virtualclock has associated with it a respective signature key, the signaturemeans generating the time-stamped output using the key associated withthe selected virtual clock.
 3. The time-stamping device as claimed inclaim 2 in which the signature means concatenates the selected virtualclock output and the input data, and signs the resultant concatenateddata.
 4. The time-stamping device as claimed in claim 2 in which eachsignature key comprises a private part of a public/private key pair. 5.The time-stamping device as claimed in claim 2 including key accesscontrol means for authorizing requests for key management operations. 6.The time-stamping device as claimed in claim 1 including time-stampaccess control means for authorizing user requests to time-stamp theinput data in accordance with a given virtual clock output.
 7. Thetime-stamping device as claimed in claim 1 including virtual clockaccess control means for authorizing requests to modify the calibrationinformation for a given virtual clock.
 8. The time-stamping device asclaimed in claim 1 comprising a hardware module.
 9. A method ofdigitally time-stamping input data, comprising: (a) selecting one set oftimer calibration data from a plurality of such stored sets, each setdefining the characteristics of a respective virtual clock; (b)adjusting an output of a free-running timer by applying a respectivetimer calibration set thereto to generate a corresponding selectedvirtual clock output; and (c) signing data representative of both theselected virtual clock output and the input data to generate atime-stamped output.
 10. The method as claimed in claim 9 in which eachvirtual clock has associated with it a respective signature key, themethod including generating the time-stamped output using the keyassociated with the selected virtual clock.
 11. The method as claimed inclaim 10 including concatenating the selected virtual clock output andthe input data, and signing the resultant concatenated data.
 12. Themethod as claimed in claim 10 in which each signature key comprises aprivate part of a public/private key pair.
 13. The method as claimed inclaim 10 including checking the credentials of requests for keymanagement operations.
 14. The method as claimed in claim 9 includingchecking credentials of user requests to time stamp the input data inaccordance with a given virtual clock output.
 15. The method as claimedin claim 9 including checking the credentials of requests to modify thecalibration information or a given virtual clock.